The thumbnail shows the first of a series of 6 posters in November's security awareness module on social engineering.  It's a particularly important topic for us because security awareness is by far the most important control against social engineering.  Alert employees who appreciate the threat and know what to do if they feel they are being targeted stand a much better chance of resisting attacks than those who remain blissfully unaware throughout. As always, the newsletter sets the scene for the topic and outlines the risks associated with exploiting people rather than technologies.  The social engineering capture-the-flag competition at this year's DefCon hacker conference was a real eye-opener for many: we couldn't help but notice a number of prominent organizations hastily sending out warning notices to their employees ahead of the CTF competition, even though the rules of the game were strictly limited to keep the event ethical and educational.  What's more,...

I wrote the following piece in response to a request for input by David Lacey on his blog .  David and other luminaries in ISSA-UK had a meeting to discuss what they feel are the biggest security challenges we'll face in the decade ahead.  An ISSA White Paper is planned at the end of this year, so it would be good for the wider infosec community to collaborate on this. I composed the following as a reply to David's blog but for some reason the ComputerWeekly site refuses to accept it.  Perhaps it's too long or goes against their editorial principles, who knows?   Anyway, here's what I wrote ... FWIW my main concern for the decade ahead is the increasing power and resourcing of the black hat community - not so much the lone home hackers and hacker clubs (who are formidable but rather fragmented and from what I've seen relatively benign, well-meaning even in some cases) but the true criminal community that increasingly uses hacking and social engineering to harves...

Thanks to someone on CISSPforum, here's a gift idea for busy, well-connected friends on your holiday list - a password directory : "There are user IDs and passwords to remember everywhere you turn. There are codes and passwords for a variety of Web sites, bank accounts, frequent traveler programs and voicemail systems. It's tough to keep track of them all! Our Password Directory can help. It's alphabetically organized to log the user name, password or a password hint for any number of applications. It's a thoughtful gift for the busy, well-connected friends on your holiday list."   Unbelievable!  Well, actually it's entirely credible. Worryingly, there probably is a market for products like this, at least among the clueless buying for the security unaware. I'm puzzled as to the evident lack of general interest in or uptake of secure 'password vault' programs which neatly solve the most awkward and annoying aspects of the passwor...

The first recommendation in Verizon's latest report on PCI compliance reads: Don’t drive a wedge between compliance and security.  Whatever your stance on the “compliance vs. security” debate, hopefully we can all agree that intentionally keeping them apart doesn’t make sense from either a compliance or a security perspective.  Why force a false dichotomy between two concepts that should, in theory, be in alignment?  After all, they both have the goal of protecting data.  Sure, maybe you’ll need to do some things for compliance that you wouldn’t do for security (based on risk assessment or tolerance) or vice versa, but it’s hardly an either-or situation across the board.  The overall direction of managing compliance should be in line with the security strategy.  Is your compliance management team the same as your security management team?  If not, is there a concerted effort to collaborate when and where possible or do both sides govern their own priv...

Wired.com is reporting that the Lower Merion school district found guilty of invading its students' privacy by spying on them through webcameras installed in the school-issued MacBook laptops, has to pay $610,000 to settle lawsuits brought by two students.  The school district claims not to have been deliberately spying on students in a non-specific way (a 'dragnet' operation). However, the fact that a secret photo was used by the school as evidence to discipline a student indicates that, at the very least, it was deliberately and consciously using the software to snoop on the student concerned.  Snooping facilities of this nature are normally intended to obtain evidence and so help recover stolen computers. This begs questions about whether such evidence might open the door to privacy complaints by those accused of stealing or using stolen computers. Furthermore, this case potentially has implications for other situations in which an organization, or indeed an individual...